Section: .. / UNIX / penetration / rootkits /
|
The software in this directory is provided for the use of System Admins only, and is provided to keep them informed on the backdoors that are currently in circulation. We strongly discourage the use of these tools without proper permission.
|
| /// File Name: |
lyceum-2.46.tar.gz |
Description:
|
Lyceum is an advance stealthed client/server backdoor that uses encrypted spoofed UDP packets to administer the server and the two built-in ICMP backdoors. Each ICMP backdoor exploits a different feature of the protocol, the first creating a bi-directionally spoofed ICMP tunnel and the second uses passive nodes as zombies to relay ICMP backdoor traffic.
| | Author: | phish | | File Size: | 53720 | | Last Modified: | Jul 23 21:43:29 2004 |
| MD5 Checksum: | 2fe58f1103cb072dd24f1be121814dfb |
|
| /// File Name: |
superkit.tar.gz |
Description:
|
Superkit is an extremely user-friendly rootkit that hides files, processes, and connections. It provides a password protected remote access connect-back shell initiated by a spoofed packet. It is loaded via /dev/kmem, without support for loadable modules required, and cannot be detected by checking the syscall table, because it redirects the kernel entry point to a private copy of the syscall table. A couple of backdoors are included.
| | Author: | mostarac | | File Size: | 49939 | | Last Modified: | Nov 13 21:24:05 2003 |
| MD5 Checksum: | 9b98867b4b10b9461c06b82f42d2e9b0 |
|
| /// File Name: |
sk-1.3a.tar.gz |
Description:
|
The SucKIT is easy-to-use, Linux-i386 kernel-based rootkit. The code stays in memory through /dev/kmem trick, without help of LKM support nor System.map or such things. Everything is done on the fly. It can hide PIDs, files, tcp/udp/raw sockets, sniff TTYs. Next, it have integrated TTY shell access (xor+sha1) which can be invoked through any running service on a server. No compiling on target box needed, one binary can work on any of 2.2.x & 2.4.x kernels precompiled (libc-free).
| | Author: | Sd | | Homepage: | http://sd.g-art.nl/sk | | File Size: | 45051 | | Last Modified: | Jul 8 03:14:46 2002 |
| MD5 Checksum: | 5b947de74ce9ba53023569fe77cae75b |
|
| /// File Name: |
erne.txt |
Description:
|
New bypass shell for Linux servers. What you don't want to find lying around in your webroot.
| | Author: | Erne | | Homepage: | http://www.biyosecurity.net/ | | File Size: | 44624 | | Last Modified: | Sep 24 23:57:40 2007 |
| MD5 Checksum: | bf610ba81441e60aee255f2286010400 |
|
| /// File Name: |
latte-release-beta-0.1.zip |
Description:
|
Latte is a little unix backdoor which only allows one UID to use it.
| | Author: | C0w-d0g | | File Size: | 44311 | | Last Modified: | Nov 20 01:59:31 2002 |
| MD5 Checksum: | 50b42878974dd58eece52e4941727f5a |
|
| /// File Name: |
c99.tgz |
Description:
|
The Klueless Klowns Team variant of the c99 php shell.
| | Author: | Kristo Pher | | Homepage: | http://www.kkteam.co.uk/ | | File Size: | 42359 | | Last Modified: | Aug 18 20:18:25 2008 |
| MD5 Checksum: | d6506a5108aaebac55098b3e56a15083 |
|
| /// File Name: |
hacking_unix.txt |
Description:
|
Unavailable.
| | File Size: | 41819 | | Last Modified: | Aug 16 20:05:19 1999 |
| MD5 Checksum: | d853a748e2888235a93e150b90616e4a |
|
| /// File Name: |
mood-nt_2.3.tgz |
Description:
|
Mood-NT 2.3 is a linux kernel rootkit for kernels 2.4.x and 2.6 versions below 2.6.20. It can hide processes, files, connections (unix, raw, and ipv6 too), promisc flag and it allows tty sniffing, exec redirection, exec parameters sniffing, has an internal private init script for starting whatever you want on boot. It has a lot of anti-detectors engines and a unique hiding engine hardware based (through the debug registers) that makes it completely stealth on x86 machines. It fully supports vsyscalls and if the kernel changes it automatically reinstall itself on boot.
| | Author: | darkangel | | Homepage: | http://darkangel.antifork.org | | File Size: | 36881 | | Last Modified: | Jun 6 18:38:28 2007 |
| MD5 Checksum: | c22f5dbb5757237be40c621f487ae8e2 |
|
| /// File Name: |
rpv21.tar.gz |
Description:
|
Reverse Pimpage is a tool for allowing one to telnet backwards through a firewall, assuming the box is allowed to make outgoing tcp connections. You have to be able to get access to the inside machine first, though, to get the client on the machine.
| | Author: | Tommy. | | Homepage: | http://soomka.com | | Changes: | The terminal emulation now works. | | File Size: | 36773 | | Last Modified: | Feb 16 17:15:01 2000 |
| MD5 Checksum: | bc494b0a8cd6928710f1a50462b1d5b4 |
|
| /// File Name: |
mood-nt.tgz |
Description:
|
Mood-NT is a linux kernel rootkit suckit2-like for 2.4.x/2.6.x kernels. It can hide processes, files, connections (unix, raw, and ipv6 too), promisc flag and it allows tty sniffing, exec redirection, exec parameters sniffing, has an internal private init script for starting whatever you want on boot. It has a lot of anti-detectors engines and a unique hiding engine hardware based (through the debug registers) that makes it completely stealth on x86 machines. If the kernel changes it automatically reinstall itself on boot.
| | Author: | darkangel | | Homepage: | http://darkangel.antifork.org | | File Size: | 35005 | | Last Modified: | Oct 24 17:12:23 2006 |
| MD5 Checksum: | c046c7882ca919d595b8491be609d149 |
|
| /// File Name: |
pingrootkit.tar.bz2 |
Description:
|
Ping Rootkit executes a root shell by simply executing the well known and "trusted" command with a special argument and a password. Includes the full source code for ping as well as the patch.
| | Author: | Herrumbre | | Homepage: | http://www.gnuler.com.ar | | File Size: | 33902 | | Last Modified: | May 29 01:48:54 2006 |
| MD5 Checksum: | e19afeeeb6309c2e3b7f6dc750ce11b2 |
|
| /// File Name: |
SAdoor.0.2.beta.tgz |
Description:
|
SADoor is a non-listening remote admin tool for UN*X systems. It sets up a listener in non-promiscuous mode for a specific sequence of packets arriving to the interface before allowing command mode. The commands are sent MIME64 encoded in the TCP payload and decoded and passed on to system(3).
| | Author: | CMN | | Homepage: | http://www.mdstud.chalmers.se/~md0claes | | File Size: | 32640 | | Last Modified: | Sep 21 00:25:44 2001 |
| MD5 Checksum: | cd5507c7d2cdebc30a30ee19977bb14c |
|
| /// File Name: |
login.tgz |
Description:
|
login package for linux - backdoored.
| | Author: | TheFinn | | Homepage: | http://circuit4.net/~thefinn | | File Size: | 32632 | | Last Modified: | Mar 18 00:09:58 2002 |
| MD5 Checksum: | e9ead72cdd327d67c6cf4baf41610ee4 |
|
| /// File Name: |
pam_rootkit.tar.gz |
Description:
|
This pam backdoor allows access to a machine using a backdoor password and arbitrary commands can also be executed without logging in. Logs normal users passwords to a log file. Configurable without recompilation.
| | Author: | gml | | File Size: | 32593 | | Last Modified: | Jul 17 17:52:00 2004 |
| MD5 Checksum: | 969c99b76280ca474c9f945b12c3becb |
|
| /// File Name: |
defuserootkit2.tar |
Description:
|
Updated version of a utility that removes LKM rootkits that normally are undetectable via the help of vmalloc which manages the memory for a kernel module. Tested against Adore, Knark, Sinapse, Heroin, and others.
| | Author: | cameleonu | | File Size: | 30720 | | Last Modified: | May 29 00:44:42 2003 |
| MD5 Checksum: | 8c15ca479777cb3e1c5f8923e059f85f |
|
| /// File Name: |
Q-0.9.tgz |
Description:
|
First public release of Q - a client / server backdoor with strong (256 bit AES) encryption for remote shell access. Also supports encrypted tcp relay/bouncer server that supports normal clients (with a local encryption tunneling daemon). Includes stealth features like activation via raw packets, syslog spoofing, and single-session servers that prevent it from appearing in netstat.
| | Author: | Mixter | | Homepage: | http://members.tripod.com/mixtersecurity | | File Size: | 29989 | | Last Modified: | Nov 22 16:09:07 1999 |
| MD5 Checksum: | 29b5c339905f4426ee32f8b384efef18 |
|
| /// File Name: |
sneaky-sneaky-1.48.tar.gz |
Description:
|
Sneaky-sneaky is a bidirectional spoofed ICMP tunnel backdoor that has built-in encryption and logging capabilities. It communicates via echo replies keeping the true source IP address encrypted inside of the payload.
| | Author: | Phish | | Changes: | Now with delays, decoys, timeouts and spoofing options. | | File Size: | 21256 | | Last Modified: | Dec 24 03:44:39 2002 |
| MD5 Checksum: | d670d308e31f0caca1bda8cde0fc72c2 |
|
| /// File Name: |
sendmailcftrojan.tar.gz |
Description:
|
Backdoored sendmail.cf - Install on a system that is running sendmail it allows you to spawn an xterm on any remote host.
| | Author: | Naif | | File Size: | 20829 | | Last Modified: | Jun 14 12:47:05 2000 |
| MD5 Checksum: | 027013770bd78a014196b2f5b2adb3b3 |
|
| /// File Name: |
defuserootkit.tar |
Description:
|
This utility removes LKM rootkits that normally are undetectable via the help of vmalloc which manages the memory for a kernel module. Tested against Adore, Knark, Sinapse, Heroin, and others.
| | Author: | cameleonu | | File Size: | 20480 | | Last Modified: | May 8 21:00:45 2003 |
| MD5 Checksum: | 0488beaaf98b29ec2446da6c6665766d |
|
| /// File Name: |
kernel.keylogger.txt |
Description:
|
Kernel Based Keystroke Loggers for Linux - This paper describes the basic concepts and techniques used for recording keystroke activity under linux. Includes proof of concept LKM which is stealthy, works with recent distributions, and is capable of logging local logins and ssh sessions to and from the host. Tested on Slackware v8.0 with kernel v2.4.5.
| | Author: | Mercenary | | Homepage: | http://www.phreedom.org/article.php?id=28 | | File Size: | 20270 | | Last Modified: | Jan 26 15:24:34 2002 |
| MD5 Checksum: | a9615f10eaef0364e7e748a96c2fb1c1 |
|
| /// File Name: |
whodo.c |
Description:
|
Whodo.c is a simple local backdoor for the Solaris whodo command.
| | Author: | Dr. Genius | | File Size: | 20226 | | Last Modified: | Aug 17 12:56:35 2000 |
| MD5 Checksum: | 7ebf7fd1c6e52d36f0e165c4185020d4 |
|
| /// File Name: |
m_rev-0.2.c |
Description:
|
A little ptrace()-based utility for process argument/name hiding. Works on most Linux 2.6 kernels/configurations (x86/x86-64 architecture).
| | Author: | ernie@ernie | | File Size: | 20129 | | Last Modified: | Jan 29 21:49:07 2008 |
| MD5 Checksum: | 2e8bb365b19a752d7bde5b88a1045089 |
|
| /// File Name: |
allinone.c |
Description:
|
Allinone.c is a backdoor which is a http server, a sockets transmit server, a shell backdoor, a icmp backdoor, a bind shell backdoor, a http shell, copy file from remote host, can use a socks5 proxy.
| | Author: | Lion | | Homepage: | http://www.cnhonker.com | | File Size: | 19710 | | Last Modified: | Oct 21 02:01:23 2002 |
| MD5 Checksum: | 8bc44ad107518ac38b7003c5479ca020 |
|
| /// File Name: |
phalanx-b6.tar.bz2 |
Description:
|
Phalanx is a self-injecting kernel rootkit designed for the Linux 2.6 branch that does not use the now-disabled /dev/kmem device. Features include file hiding, process hiding, socket hiding, a tty sniffer, a tty connectback-backdoor, and auto injection on boot.
| | Author: | rebel | | File Size: | 19479 | | Last Modified: | Dec 27 03:25:28 2005 |
| MD5 Checksum: | 3d0ef3793579cd846e43a034d147ecd0 |
|
| /// File Name: |
sneaky-sneaky-1.12.tar.gz |
Description:
|
Sneaky-sneaky is a bidirectional spoofed ICMP tunnel backdoor that has built-in encryption and logging capabilities. It communicates via echo replies keeping the true source IP address encrypted inside of the payload.
| | Author: | Phish | | File Size: | 17353 | | Last Modified: | Nov 2 17:31:39 2002 |
| MD5 Checksum: | 1ff30567857b78272c86eaa119d49043 |
|
|
|
|
|
![.:[ packet storm ]:.](/images/ps-ani.gif)
